Kaspersky Lab to allow scrutiny of source code

Moscow-based Kaspersky Lab said on Monday it will ask independent parties to review the security of its anti-virus software, which the U.S. government has said could jeopardize national security, citing concerns over Kremlin influence and hijacking by Russian spies.

Kaspersky, which research firm Gartner ranks as one of the world's top cyber security vendors for consumers, said in a statement that it would submit the source code of its software and future product updates for review by a broad cross-section of computer security experts and government officials.

It also vowed to have outside parties review other aspects of its business, including software development. Reviews of its software, which is used on some 400 million computers worldwide, will begin by the first quarter of next year, it said.

"We've nothing to hide," Chairman and CEO Eugene Kaspersky said on Monday. "With these actions we’ll be able to overcome mistrust and support our commitment to protecting people in any country on our planet."

Kaspersky did not name the outside reviewers, but said they would have strong software security credentials and be able to conduct technical audits, source code reviews and vulnerability assessments.

U.S. President Donald Trump's administration last month barred government agencies from using Kaspersky Lab anti-virus products.

The world's top cyber security experts are divided over whether Russian intelligence hijacked Kaspersky software without its knowledge or whether the firm or one of its employees was complicit.

Israeli intelligence officials said they had found Russian government hackers using Kaspersky anti-virus software to steal spy secrets from the U.S. National Security Agency, according to reports this month in major U.S. media.

Kaspersky has repeatedly denied those allegations, saying it has not helped Russia or other governments engage in espionage and that it is simply caught up in a wider geopolitical spat between Moscow and Washington following allegations Russian hackers interfered in last year's U.S. elections.

Some researchers have pointed to the company’s problems in the United States as an example of the growing Balkanisation of the cyber security industry, which is making it harder to fight cross-border crime.

Restoring confidence

U.S. cyber security experts and former officials said the move by Kaspersky to open its software up for expert review could help alleviate concerns about future security gaps, but that the company had a lot of work to do to restore confidence.

Rodney Joffe, senior vice president at online identity management firm Neustar and an advisor to the U.S. Federal Communications Commission, said Kaspersky must show it has fixed all existing vulnerabilities, not just guarded against new ones.

"A good start would be a release of the source code for the products already out there, that matches the actual installed code base," Joffe told Reuters.

The company said it would open "transparency centers" in Asia, Europe and the United States where customers, governments and others can access results of the outside reviews and discuss any concerns about the security of Kaspersky products.

It also said it would expand a program where it pays independent security researchers to find security vulnerabilities in its products, boosting the maximum award size to $100,000 from $5,000.

But the company's critics remained skeptical. Democratic Senator Jeanne Shaheen, who led calls in the U.S. Congress to purge Kaspersky software from government networks, said in a statement that the review was "a red herring that doesn't address any of the fundamental underlying concerns with Kaspersky products," including Russian law that allows the Kremlin to monitor data transmissions.

(Reporting by Jim Finkle in Toronto, John Walcott and Dustin Volz in Washington, Eric Auchard in London and Jeremy Wagstaff in Singapore; Editing by Alexander Smith and Phil Berlowitz)

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.